|
|
Posted by Tyno Gendo on 04/09/07 14:03
antony wrote:
>> i would simply have a count field in the database again
>> st the username's and on each unsuccessful attempt increase the counter.
>>
>> when they log in successfully, reset the counter. a flag could be in
>> there as to whether the account is active, if the count reaches a set
>> amount, flip the flag eg. user_active 'Y' or 'N'
>>
>> any user_active 'N' accounts cannot log in.
>>
>> add a datetime field also so you can do your checks for timeout expire
>> of the blocks etc.
>>
>> of course, this is all good for username's that exist.
>
>
> so you control only the attempt of the password insertion?
Say you had a table 'user' as such:
user_id INT AUTO_INCREMENT PRIMARY KEY
user_name varchar(80) NOT NULL
user_pass varchar(16) NOT NULL
user_tries INT
When user tries to log in (this is all of top of my head straight into
newsreader, so not checked):
define('MAX_RETRIES', 5);
$logged_in = false;
$sql = "SELECT user_id, user_name, user_pass, user_tries
FROM user WHERE user_name = '" . $_POST["username"]; . "';";
$ds = mysql_query($sql);
if (mysql_num_rows($ds)>0) { // username found match
// a correct username at least, read details and check pass,
// die if we can't read row (trigger_error better)
$dr = mysql_query($ds) or die(mysql_error());
if ( $_POST["password"]<>$dr['user_pass'] ||
$dr['user_tries']>MAX_RETRIES) {
// we just checked if password not equal or if
// tries exceeded, if either is the case then we
// can't log in
// retries not yet maxed out? increase in DB
if ($dr['user_tries']<MAX_RETRIES) {
$dr['user_tries']++;
$sql = "UPDATE user SET user_tries=" . (int)$dr['user_tries'] . "
WHERE user_id = " . $dr['user_id'];
mysql_query($sql) or die(mysql_error());
}
// make sure login flag false
$logged_in = false;
} else { // username & pass must match if we get here.
$logged_in = true;
} //
} else { // didn't even find username
// some kind of failure message, but can't
// lock an account here as we don't even have
// a valid username, can't lock on IP if we don't
// want to risk locking out loads of users who
// might be using proxy, unless we don't care that
// is!!
$logged_in = false;
} // mysql_num_rows($ds)>0
if ($logged_in) { // true?
echo "Login success!";
} else {
echo "Login failed.";
}
>> if you're wanting to block any wrong logins, then use the REMOTE_ADDRESS
>> of the user. but this might block lots of people as they may use a
>> proxy so you might say block everyone on AOL indefinately if you're not
>> at least doing the 'username' blocking method.
>
> this because the remote_address cannot identifier a single univoc user?
> so you block when, one write exactly the username but after 5 attempt of
> insert password no good?
> and you block the user? for when time?
>
> this type of protection has a specific name?
It's just an IP based Security policy. But, as I say, there may be more
than one user has the same IP. Anyone else use IP based blocking that
might advise??
Navigation:
[Reply to this message]
|